CVE-2020-37148

Vulnerability

Overview

CVE-2020-37148 describes a stored cross-site scripting (XSS) vulnerability affecting P5 FNIP-8x16A and FNIP-4xSH relay modules (firmware versions 1.0.20 and 1.0.11. The web interface fails to sanitize user input passed to several GET/POST parameters before returning it to the browser, enabling attackers to inject arbitrary HTML and JavaScript code. The vulnerability is specifically triggered through the label modification functionality, such as the 'lab4' parameter in config.html [1][3].

Exploitation

Vector

An attacker can exploit this vulnerability used by sending a crafted request targeting the labeling feature of the device's web interface. Because the input is not validated or escaped, the malicious payload is stored on the server and subsequently executed in any user's browser session that views the affected page. No authentication is required for the attacker to inject the payload, though the victim must be logged into the device's web interface for the script to execute in the context of the application [1].

Impact

Assessment

Successful exploitation allows an attacker to perform actions with the privileges of the logged-in victim, such as modifying device settings, creating new administrative users, or controlling relay outputs. Additionally, the same advisory notes that the device is also susceptible to cross-site request forgery (CSRF), which can be combined with the stored XSS to escalate the attack, such as adding an admin user without the victim's knowledge [2][3].

Mitigation

Status

At the time of disclosure, the vendor P5 had not provided a patched firmware version. Users of the affected models are advised to restrict network access to the device's web interface and monitor for malicious activity. The vulnerability has also been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation or public exploit availability [1][2][3].